from the access-not-specifically-authorized-is-not-'unauthorized-access' dept

Last month, we covered the incredible case of an unnamed 19-year-old who was facing criminal charges for downloading publicly-available documents from a government Freedom of Information portal. The teen had written a script to fetch all available documents from the Nova Scotia's government FOI site -- a script that did nothing more than increment digits at the end of the URL to find everything that had been uploaded by the government.

The government screwed up. It uploaded documents to the publicly-accessible server that hadn't been redacted yet. It was a very small percentage of the total haul -- 250 of the 7,000 docs obtained -- but the government made a very big deal out of it after discovering they had been accessed.

The government complained to the police and had the downloader hauled in to face unauthorized access charges, claiming he had "exploited a vulnerability" to obtain unredacted files. But no exploit was used. It was the government that left unredacted documents in a publicly-accessible space. Nevertheless, the teen's home was raided, his family accosted, and several electronic devices seized -- including those of family members. The 19-year-old's younger brother was even detained by officers while walking to school.

Government officials claimed the teen "stole" documents, and pushed for criminal charges which could have resulted in a ten-year sentence for downloading documents from a government portal designed to facilitate the downloading of documents.

In an email to CBC News, Halifax police Supt. Jim Perrin did not mention what kind of information police were given from the province, but he said it was a "high-profile case that potentially impacted many Nova Scotians."

"As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offence by accessing the information," Perrin said in the email.

The "information" the province "handed over" was probably nothing more than the belated recognition that pursuing criminal charges had accomplished nothing more than exposing the government's careless handling of citizens' personal information and its willingness to find a scapegoat to burden with its failure. The government also revealed 11 other IP addresses had accessed the same unredacted documents, which only further solidified the government's complicity in public access to unredacted personal info.

Prosecutors would have struggled to prove intent -- something law enforcement likely recognized shortly after taking up the case. And this would have been a case they couldn't ignore, not with government officials making lots of noise about hacking that never took place and "unauthorized" access that was plainly authorized by their inability or unwillingness to properly secure documents that hadn't been vetted or redacted. It's already suffered a PR black eye. This move to disengage simply reduces the chance of further injury.

Reader Comments

So when is the kid and his family receiving a hefty monetary compensation for all the trauma? I'll bet that with luck it will be in the lines "better later than never" a few decades in the future. With luck.

Well Actually...

Prosecutors would have struggled to prove intent -- something law enforcement likely recognized shortly after taking up the case.

It's a dumb law but they could have prosecuted the kid under the "Unauthorized Use of a Computer" law. It is a broad law that makes everyone who isn't Amish guilty. It still exists though and the charges were dropped more as a public backpedaling than of a legal issue.

Re: Well Actually...

The very first paragraph says "who, fraudulently and without colour of right". Where's the fraud? Does being a public FOIA document portal not weigh in favor of a "colour of right"? The basis of FOIA-type laws is that the public has a right to government information.

Re: Re: Well Actually...

There's a potentially darker side to this story that doesn't often get reported, and which may explain the zeal with which the Halifax Regional Police pursued this case: the second-in-command of the police service that's harassed this kid, Deputy Chief Robin McNeil, is the brother of Premier Stephen McNeil - the elected head of the government in question.

Re: Re: Re: Well Actually...

When it comes to computers, it means that there was a restriction on the content they accessed, allowing certain people to view it and preventing other people from viewing it, which was then bypassed.

Such a bypass would be something like, entering someone else's username and password to gain their access; or intercepting data being transmitted to an authorized user; or specifically targeting an exploit in the security measure until it is bypassed.

"Accessing a hyperlink that anyone in the world had the ability to access" is not covered by that. There's no restriction. There's no fraud. Anyone in the world with a working web browser could have accessed those files in the exact same manner as they could have accessed the files they were intended to have access to.

Heard overhead

What about the provider?

It is hardly surprising the charges against the teen have been dropped, but what about the other side?

The breach of privacy occurred not when the teen downloaded the information but when the information was made available via the insecure portal, regardless of whether one (or 11) people accessed it.

Will any charges be laid against the contractor or government personnel who exposed information that should have been private or redacted? Will someone lose their job or contract over matter? Will there be any internal disciplinary action? Will the Department head or Minister claim accountability for the breach and resign?

If a significant reason charges were laid in this matter to begin was the undue external influence of the Premier on the Police Chief, does that not also constitute a violation?